CVE-2024-3094: Urgent alert for Fedora Linux 40 and Rawhide users - Fedora Magazine
fedoramagazine.org
Summary: The latest versions of the “xz” tools and libraries contain malicious code that appears to be intended to allow unauthorized access. Specifically, this code is present in versions 5.6.0 and 5.6.1 of the libraries. Fedora Linux 40 users may have received version 5.6.0, depending on the timing of system updates. Fedora Rawhide users may have received version 5.6.0 or 5.6.1.
  • wolf@lemmy.zipEnglish
    17·
    8 months ago

    Supply chain attacks are extremely cheap/easy and very effective, so get prepared for more of them in the future.

    It really bothers me, that many companies make billions utilizing open source without contributing money/employees etc. to secure/supply/maintain supply chains.

    • RedNight@lemmy.ml
      9·
      8 months ago

      This one might not have been that cheap. The malicious code was added by a maintainer on the project for two years. That is some patience

      • wolf@lemmy.zipEnglish
        4·
        8 months ago

        Agreed. I am more speaking of ‘in general’, for example there was a supply chain attack on a widely used npm package by writing an email to the author of the npm package. There are other ‘cheap’ attacks like dependency confusion, typo squatting etc.

  • Thurstylark@lemm.eeEnglish
    9·
    8 months ago

    Me: fixes exposure to vuln

    Also me: grabs popcorn

    This is going to be an interesting story once this all quiets down…

    • NaN@lemmy.sdf.orgEnglish
      11·
      8 months ago

      Gonna take a bit. The dudes been doing the releases for over a year, everything they touched is suspect now even if nothing earlier is known. Also some other associated accounts have been doing shady stuff too.

      And that’s just one project that had a burnt out maintainer who welcomed some help from this guy. There are probably others. The hobby project becoming a core piece is a big issue.

      • SuperIce@lemmy.worldEnglish
        5·
        8 months ago

        Yeah, it looks like that little Jenga block from the xkcd meme was XZ and a bunch of infrastructure is gonna have issues because of it.

      • Brunacho@scribe.disroot.orgEnglish
        4·
        8 months ago

        Gonna take a bit. The dudes been doing the releases for over a year, everything they touched is suspect now even if nothing earlier is known. Also some other associated accounts have been doing shady stuff too.

        gonna take even a bit more now. Github closed the account and project making it really difficult to see their commits and merges and analyze them.

      • Thurstylark@lemm.eeEnglish
        4·
        8 months ago

        Running Arch, so not really exposed, but still had a compromised version installed.

  • annata20@discuss.tchncs.de
    1·
    4 months ago

    CVE-2024-3094 represents a serious security threat for Pokerogue Fedora Linux 40 and Rawhide users. Promptly updating your system and applying the necessary patches are crucial steps in mitigating this vulnerability.